!41 fix CVE-2020-9430

From: @zhanghua1831 Reviewed-by: @wangxiao65,@small_leek Signed-off-by: @small_leek
2020-12-17 17:50:39 +08:00 · 2020-12-17 17:50:39 +08:00 · 7dba72c622
commit 7dba72c622
parent 2964f22cd7 86a8757002
3 changed files with 111 additions and 1 deletions
--- a/CVE-2020-9430-1.patch
+++ b/CVE-2020-9430-1.patch
@ -0,0 +1,71 @@
+From 93d6b03a67953b82880cdbdcf0d30e2a3246d790 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Fri, 7 Feb 2020 11:17:35 -0800
+Subject: [PATCH] WiMax DLMAP: Add a length check.
+
+Make sure we have enough data for a CRC.
+
+Bug: 16368
+Change-Id: I03a2532061a5cf5e28cb65c83dd4ab90654d1679
+Reviewed-on: https://code.wireshark.org/review/36051
+Reviewed-by: Gerald Combs <gerald@wireshark.org>
+---
+ plugins/epan/wimax/.editorconfig | 10 ++++++++++
+ plugins/epan/wimax/msg_dlmap.c   |  9 ++++++++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 plugins/epan/wimax/.editorconfig
+
+diff --git a/plugins/epan/wimax/.editorconfig b/plugins/epan/wimax/.editorconfig
+new file mode 100644
+index 0000000..541cd9d
+--- /dev/null
+++ b/plugins/epan/wimax/.editorconfig
+@@ -0,0 +1,10 @@
+#
+# Editor configuration
+#
+# https://editorconfig.org/
+#
+
+[msg_dlmap.[ch]]
+indent_style = tab
+indent_size = tab
+
+diff --git a/plugins/epan/wimax/msg_dlmap.c b/plugins/epan/wimax/msg_dlmap.c
+index 05f8714..c2cdf54 100644
+--- a/plugins/epan/wimax/msg_dlmap.c
+++ b/plugins/epan/wimax/msg_dlmap.c
+@@ -593,6 +593,7 @@ static int hf_dlmap_reduced_aas_spid = -1;
+ static expert_field ei_dlmap_not_implemented = EI_INIT;
+ static expert_field ei_crc16 = EI_INIT;
+ static expert_field ei_mac_header_compress_dlmap_crc = EI_INIT;
+static expert_field ei_mac_header_invalid_length = EI_INIT;
+ 
+ /* Copied and renamed from proto.c because global value_strings don't work for plugins */
+ static const value_string plugin_proto_checksum_vals[] = {
+@@ -2383,7 +2384,12 @@ gint wimax_decode_dlmapc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *base_tre
+ 
+ 	/* CRC is always appended */
+ 	/* check the length */
+-	if (MIN(tvb_len, tvb_reported_length(tvb)) >= mac_len)
+	if (mac_len <= sizeof(mac_crc))
+	{
+		expert_add_info_format(pinfo, ti, &ei_mac_header_invalid_length,
+		"Invalid length: %d.", mac_len);
+	}
+	else if (MIN(tvb_len, tvb_reported_length(tvb)) >= mac_len)
+ 	{
+ 		/* calculate the CRC */
+ 		calculated_crc = wimax_mac_calc_crc32(tvb_get_ptr(tvb, 0, mac_len - (int)sizeof(mac_crc)), mac_len - (int)sizeof(mac_crc));
+@@ -3436,6 +3442,7 @@ void proto_register_mac_mgmt_msg_dlmap(void)
+ 		{ &ei_dlmap_not_implemented, { "wmx.dlmap.not_implemented", PI_UNDECODED, PI_WARN, "Not implemented", EXPFILL }},
+ 		{ &ei_crc16, { "wmx.dlmap.bad_checksum", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
+ 		{ &ei_mac_header_compress_dlmap_crc, { "wmx.compress_dlmap.bad_checksum", PI_CHECKSUM, PI_ERROR, "Bad checksum", EXPFILL }},
+		{ &ei_mac_header_invalid_length, { "wmx.compress_dlmap.invalid_length", PI_MALFORMED, PI_ERROR, "Invalid length", EXPFILL }},
+ 	};
+ 
+ 	expert_module_t* expert_mac_mgmt_msg_dlmap;
+-- 
+2.7.4
+
+
--- a/CVE-2020-9430-2.patch
+++ b/CVE-2020-9430-2.patch
@ -0,0 +1,34 @@
+From 6b98dc63701b1da1cc7681cb383dabb0b7007d73 Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Wed, 12 Feb 2020 12:07:52 -0800
+Subject: [PATCH] WiMax DLMAP: Fix a large loop.
+
+Make sure we advance our offset.
+
+Bug: 16383
+Ping-Bug: 16368
+Change-Id: I4949cb0988601dbe545d0bc22de4d654b4e61204
+Reviewed-on: https://code.wireshark.org/review/36085
+Reviewed-by: Gerald Combs <gerald@wireshark.org>
+Petri-Dish: Gerald Combs <gerald@wireshark.org>
+Reviewed-by: Anders Broman <a.broman58@gmail.com>
+(cherry picked from commit 6dad599a8a1bda8b8e999cc4a7e460140e4ecc0a)
+Reviewed-on: https://code.wireshark.org/review/36094
+---
+ plugins/epan/wimax/msg_dlmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/epan/wimax/msg_dlmap.c b/plugins/epan/wimax/msg_dlmap.c
+index c2cdf54..6961d55 100644
+--- a/plugins/epan/wimax/msg_dlmap.c
+++ b/plugins/epan/wimax/msg_dlmap.c
+@@ -2388,6 +2388,7 @@ gint wimax_decode_dlmapc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *base_tre
+ 	{
+ 		expert_add_info_format(pinfo, ti, &ei_mac_header_invalid_length,
+ 		"Invalid length: %d.", mac_len);
+		return sizeof(mac_crc);
+ 	}
+ 	else if (MIN(tvb_len, tvb_reported_length(tvb)) >= mac_len)
+ 	{
+-- 
+2.7.4
--- a/wireshark.spec
+++ b/wireshark.spec
@ -1,6 +1,6 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        14
+Release:        15
 Epoch:          1
 Summary:        Network traffic analyzer
 License:        GPL+
@ -45,6 +45,8 @@ Patch6030:      CVE-2020-25862.patch
 Patch6031:      CVE-2020-25863.patch
 Patch6032:      wireshark-initialize-point-in-end_string.patch
 Patch6033:      CVE-2020-28030.patch
+Patch6034:      CVE-2020-9430-1.patch
+Patch6035:      CVE-2020-9430-2.patch

 Requires(pre):  shadow-utils
 Requires(post): systemd-udev
@ -151,6 +153,9 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*

 %changelog
+* Wed Dec 16 2020 zhanghua <zhanghua40@huawei.com> - 2.6.2-15
+- fix CVE-2020-9430
+
 * Mon Nov 07 2020 wangxiao <wangxiao65@huawei.com> - 2.6.2-14
 - fix CVE-2020-28030
  malformed packet on wire could make GQUIC protocol dissector loop